If your business accepts credit or debit cards, even just one payment per month, you are legally required to be PCI DSS compliant. And yet, according to industry estimates, more than 6 out of 10 Canadian merchants don’t know exactly what this means for them. Worse still, in the event of a data breach, penalties can run into tens of thousands of dollars in fines, not to mention the cost of customer notification and civil proceedings.
The good news? For the vast majority of SMEs, restaurants, clinics and boutiques in Quebec and Canada, PCI DSS compliance is easier than you might think, especially when your payment service provider, like us, does most of the work.
In this guide, we demystify PCI DSS compliance in 2026: the 4 merchant levels, the 12 requirements to be met, the concrete penalties, and how point-to-point encryption (P2PE), tokenization solutions and certified terminals radically simplify compliance.
What is PCI DSS compliance and why is your business concerned?
PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security standards developed by the major card networks (Visa, Mastercard, American Express, Discover, JCB) and managed by the PCI Security Standards Council (PCI SSC).
In concrete terms, PCI DSS defines how you must protect your customers’ payment card data: card number, expiry date, CVV code, magnetic stripe, etc. This data is collectively known as cardholder data, and must be encrypted, securely stored (or not stored at all) and transmitted over protected channels. This data is collectively known as cardholder data, and must be encrypted, securely stored (or not stored at all) and transmitted over protected channels.
Who needs to be PCI DSS compliant in Canada?
Any business that accepts, processes, stores or transmits payment card data, regardless of volume. This includes :
- Restaurants that take cards in person or for telephone orders
- Retail stores with a physical terminal or an online store
- Medical, dental, veterinary and beauty clinics
- Non-profit organizations collecting card donations
- Independent professionals billing by card
- E-businesses of all sizes
Even if you only process one card transaction per month, the obligation still applies. Compliance isn’t a government law in the strict sense of the word; it’s a contractual obligation imposed by your payment processor and card networks. But the consequences of non-compliance (fines, suspension of card payments, civil liability in the event of a leak) are very real.
The version in force in 2026 is PCI DSS 4.0.1, which definitively replaced version 3.2.1 in June 2024. This new version imposes enhanced requirements for multi-factor authentication (MFA), continuous monitoring and script management on online payment pages.
The 4 levels of PCI DSS compliance – what’s yours?
PCI DSS standards apply differently depending on the annual volume of card transactions processed by your business. There are 4 levels, determined mainly by annual Visa transactions (other networks generally follow the same thresholds).
Level 1: More than 6 million transactions per year
- Annual audit by a Qualified Security Assessor (QSA)
- Quarterly scan by an Approved Scanning Vendor (ASV)
- Attestation of compliance (AOC) signed by an executive
Level 2: Between 1 million and 6 million transactions per year
- Annual audit or self-assessment questionnaire (SAQ) depending on network
- ASV quarterly scan
- Signed certificate of conformity
Level 3: Between 20,000 and 1 million e-commerce transactions per year
- Self-evaluation questionnaire (SAQ)
- ASV quarterly scan for online systems
- Certificate of conformity
Level 4: Less than 20,000 e-commerce transactions or less than 1 million total transactions per year
- Self-assessment questionnaire (SAQ), usually SAQ A for businesses that outsource processing entirely
- ASV scan recommended for e-commerce sites
- Certificate of conformity
The vast majority of Canadian SMEs (over 95%) fall into Level 4. For you, compliance mainly means filling in a self-assessment questionnaire every year (SAQ A most often, which takes 15 to 20 minutes). It’s manageable, provided you use a payment provider who has already done most of the work for you.
The 12 PCI DSS requirements explained simply
PCI DSS 4.0.1 organizes its obligations around 12 main requirements, grouped into 6 categories.
Building and maintaining a secure network and systems
1. Install and maintain a firewall to protect payment data (your corporate router must be configured correctly, not in factory mode).
2. Never use manufacturers’ default passwords on your terminals, POS or Wi-Fi router.
Protecting cardholder data
3. Protect stored card data. Ideally, don’t store them at all (best is to delegate everything to your processor).
4. Encrypt card data transmitted over public networks (HTTPS mandatory for all e-commerce sites, secure Wi-Fi in stores).
Maintain a vulnerability management program
5. Use up-to-date antivirus software on all computers that handle payment data.
6. Develop and maintain secure systems, i.e. install security updates for your POS, terminal, computer, etc.
Implement strict access controls
7. Restrict access to payment data to strictly necessary personnel.
8. Identify each user uniquely. Each employee must have his or her own account and password, and since PCI DSS 4.0, multi-factor authentication (MFA) is mandatory for access to systems containing card data.
9. Restrict physical access to card data (no paper with card number lying around the cash register).
Regular network monitoring and testing
10. Track and monitor all access to resources and payment data (logs).
11. Regularly test security systems and processes (vulnerability scans, penetration tests for levels 1-2).
Maintaining a safety policy
12. Maintain a written policy covering information security for all personnel.
For a Level 4 (the majority of SMEs), most of these requirements are automatically covered when you use a certified payment provider like Geasy Pay. Your provider takes care of encryption, secure storage, cloud firewalls and infrastructure compliance. You remain responsible for the security of your user accounts, passwords and Wi-Fi.
Penalties for non-compliance (and hidden costs)
Many merchants believe that PCI DSS non-compliance has no real consequences as long as they have no data leakage. This is not true. Sanctions apply on several levels, some of which are already active without you even realizing it.
1. Monthly PCI non-compliance fee on your statement
This is the most common. Your payment processor charges you between $20 and $80 a month if you haven’t filled out your annual SAQ questionnaire. Cumulated over 12 months, that’s $240 to $960 a year, simply because you didn’t take 20 minutes to fill out a form. Check your statement: the line is often called PCI Non-Compliance Fee or PCI Compliance Fee.
2. Card network fines for violations
If a data breach occurs and it’s shown that your business wasn’t PCI DSS compliant, the networks can impose fines ranging from $5,000 to $100,000 per month until compliance is achieved. For a small business, this can be existential.
3. Costs associated with a data breach
Beyond the fines, a data leak leads to :
- Investigation costs ($15,000 to $50,000) to identify the cause and extent of the leak
- Notification costs for affected customers. In Quebec, mandatory since Bill 25
- Credit monitoring fees offered to affected customers ($10 to $30 per customer)
- Permanent increase in transaction costs for you, as your business becomes an increased risk
- Potential civil suits by affected customers
- Damage to reputation difficult to quantify but often devastating for a small local business
4. Loss of right to accept payment cards
In serious or repeated cases, your processor may terminate your contract and place you on the MATCH (Member Alert to Control High-Risk) list – a list shared by all North American processors. Once on this list, it becomes extremely difficult to find a new processor, and this for a minimum of 5 years.
It’s easy to calculate: investing 20 minutes a year in an SAQ questionnaire and using a certified terminal costs infinitely less than the least of the above consequences.
How does Global Payments via Geasy Pay simplify your PCI compliance?
Geasy Pay is an official partner of Global Payments, one of the world’s largest payment service providers, operating in over 100 countries. This global infrastructure means that almost all the technical burden of PCI DSS compliance is already absorbed by Global Payments before you even put your terminal on the counter.
1. Point-to-point encryption (P2PE)
With a PCI SSC-approved P2PE solution, your customer’s card data is encrypted from the moment it is inserted or approached at the terminal, and remains encrypted throughout processing, right up to final decryption in Global Payments’ ultra-secure environment.
The direct consequence for you is that your systems (POS, computer, Wi-Fi, server) never see card data in clear text. They only receive unreadable encrypted data. This drastically reduces your PCI compliance perimeter, making you eligible for the shortest and easiest SAQ P2PE questionnaire (~10 minutes per year).
2. Tokenization
When a customer pays with their card, Global Payments immediately replaces the card number (PAN) with a random token, unique to that payment and to your business. If someone were to steal this token from your systems, they couldn’t do anything with it, because it doesn’t give access to any information that can be used elsewhere.
Particularly useful for :
- Recurring payments (subscriptions, NPO dues)
- Loyal customers whose payment method you want to keep
- Online retailers who don’t want to have to ask for a new card number every time they make a purchase
3. PCI PTS-certified terminals
All terminals supplied by Geasy Pay (Ingenico Desk 5000, Ingenico Move 5000, Genius terminals, etc.) are PCI PTS (PIN Transaction Security) certified. This certification guarantees that :
- Keypad is resistant to PIN code extraction attempts
- Data never leaves the terminal unencrypted
- The terminal automatically detects attempts at physical tampering and locks itself.
See our complete Machine Interac refresh to compare available terminals, and our POS system guide in Quebec for integrated solutions.
4. Secure cloud platform
The Global Payments infrastructure is hosted in ISO 27001-certified data centers that comply with the world’s highest security standards. All firewalls, intrusion detection systems and access logs are managed 24/7 by Global Payments security teams – not by you.
5. Human support from Geasy Pay
Our local team in Quebec can help you with :
- Identify your PCI DSS level and the right SAQ questionnaire to complete
- Guide you through the SAQ in French
- Check the secure configuration of your Wi-Fi and user accounts
- Alert you if a major security update is required
Assess your PCI compliance today!
Here are the practical steps you need to take to bring your business into compliance (or check that you already are):
Step 1 – Identify your PCI DSS level
Estimate your annual number of card transactions (all categories: credit, debit, in-store, online). If you’re below 1 million total transactions per year, you’re most likely Level 4.
Step 2 – Identify the right SAQ questionnaire
There are several SAQ questionnaires to choose from, depending on your situation:
- SAQ A – You completely outsource the processing (you only use a physical terminal or a certified provider for your online payment). Simplest, ~15-20 minutes.
- SAQ A-EP – E-commerce site where the payment page is hosted by a third party but the customer types his number on your site (with redirection or iframe).
- SAQ B – Stand-alone terminal (no connection to a POS).
- SAQ B-IP – Terminal connected via IP but without local storage.
- SAQ C-VT – Virtual terminal (payment by phone or link).
- SAQ C – Payment system integrated into your business, but not connected to the Internet.
- SAQ D – All other cases (the most comprehensive and demanding).
If you’re using a standard Geasy Pay terminal, you’ll most likely fill either the SAQ A or SAQ B-IP – the two shortest.
Step 3 – Complete your SAQ and sign your Attestation of Compliance (AOC)
The SAQ is a yes/no questionnaire about your business’s security practices. Once completed, you sign the Attestation of Compliance (AOC) and send it to your payment processor (Geasy Pay). Valid for 12 months.
Step 4 – Perform ASV scans if applicable
If you have an online store, quarterly scans by an Approved Scanning Vendor (ASV) are mandatory. These scans automatically check your site for exploitable vulnerabilities. Typical cost: $50 to $200 per quarter. Geasy Pay can recommend an ASV partner if required.
PCI DSS and Bill 25: what Quebec merchants need to know
In Quebec, PCI DSS obligations are added to a broader regulatory framework: Bill 25 (An Act to modernize legislative provisions respecting the protection of personal information), which comes into force progressively between 2022 and 2024. All its provisions will be in force by 2026.
What Bill 25 requires of Quebec businesses
- Designate a privacy officer for your organization
- Maintain a public privacy policy on your website
- Notify the Commission d’accès à l’information (CAI) and affected individuals in the event of a confidentiality incident presenting a serious risk of harm
- Keep a register of confidentiality incidents, even minor ones
- Conduct a Privacy Impact Assessment (PIA) prior to any information system project involving personal information
Penalties Act 25: Up to $25 million or 4% of worldwide sales (whichever is greater), with criminal fines and civil action also possible.
The overlap with PCI DSS
Payment card data contains personal information within the meaning of Bill 25 (cardholder name, card number). Your PCI DSS compliance therefore contributes directly to your Loi 25 compliance in terms of payment security. But Bill 25 goes further: it covers all the personal information you collect (customer e-mail addresses for loyalty purposes, telephone numbers for appointment reminders, etc.), not just payment data.
Our recommendation: Treat PCI DSS compliance as the foundation for payment security, and Law 25 as the overall framework for managing personal data in your business. The two are complementary and must be respected in parallel.
Frequently asked questions about PCI DSS compliance in Canada
Does my business really have to be PCI DSS compliant in Canada?
Yes, any business that accepts, processes, stores or transmits payment card data (Visa, Mastercard, Amex, Interac debit) must be PCI DSS compliant, regardless of volume – even a single transaction per month is enough to trigger the obligation. This obligation is imposed by the card networks and your payment processor, not by government law, but the financial penalties are very real: monthly fines for non-compliance, fees in the event of violation, even loss of the right to accept cards.
How can I secure card payments in my restaurant or store?
Three concrete actions in 2026: 1) Use a PCI PTS-certified terminal connected to a certified payment provider (such as Geasy Pay via Global Payments) that supports P2PE encryption and tokenization; 2) Secure your Wi-Fi with WPA3 and a complex password – never use Wi-Fi for payments if possible; 3) Complete your SAQ questionnaire annually and keep proof of compliance up to date. For most SMEs, these 3 actions cover the essentials of PCI DSS compliance.
What does PCI DSS compliance mean for SMEs?
For a Canadian SME (generally Level 4 PCI), compliance mainly consists of: completing an annual self-assessment questionnaire (SAQ A most often, 15-20 minutes), using certified terminals and payment solutions, securing the business’s Wi-Fi network, not storing card numbers on local or paper files, and applying security updates to systems (POS, computers). Most of the technical work is absorbed by your payment service provider.
How much does PCI DSS compliance cost for a small business?
If you use a certified payment service provider such as Geasy Pay, the cost of PCI DSS compliance for an SME is generally limited to a minimal administrative fee – often included in your monthly package. Additional costs appear only for e-commerce businesses (quarterly ASV scans at $50-200) or Level 1-2 businesses (QSA audits at $5,000-50,000/year). Conversely, not being compliant costs $20-80/month in PCI non-compliance fees on your statement – paying to do nothing.
What are the 4 levels of PCI DSS compliance?
Level 1: over 6 million Visa transactions/year (mandatory annual audit). Level 2: 1 to 6 million (audit or SAQ). Level 3: 20,000 to 1 million e-commerce transactions (SAQ + ASV scan). Level 4: less than 20,000 e-commerce transactions or less than 1 million total transactions (SAQ + ASV scan recommended). Over 95% of Canadian SMEs are in Level 4, and only have to complete an annual self-assessment questionnaire.
What happens in the event of a payment data breach?
In the event of a breach : 1) Mandatory notification to your payment processor and, in Quebec, to the Commission d’accès à l’information (Bill 25); 2) Forensic investigation ($15,000 to $50,000) to determine cause; 3) Notification to affected customers and offer of credit monitoring ($10-30/customer) ; 4) Possible fines from card networks ($5,000 to $100,000/month until brought into compliance); 5) Risk of civil action; 6) Possible placement on MATCH list if the business is found responsible, which prevents accepting cards for 5 years.
What is the SAQ (Self-Assessment Questionnaire)?
The SAQ is an annual self-assessment questionnaire that you complete to validate your PCI DSS compliance. There are 9 different versions of the SAQ, depending on your situation (online presence, terminal type, etc.). For the majority of SMEs using a certified terminal like those supplied by Geasy Pay, SAQ A applies: around 22 yes/no questions, 15-20 minutes to complete.
What is payment tokenization and why is it important?
Tokenization immediately replaces your customer’s card number with a unique, random token, which serves only to identify this specific payment to your processor. If someone were to steal this token from your systems, they couldn’t do anything with it: it doesn’t give access to the real card number. Tokenization is particularly useful for recurring payments (subscriptions, NPO donations), online stores and loyalty programs – it allows you to retain a customer’s payment method without ever having the real card data in your systems.
How does Global Payments help with PCI DSS compliance?
Global Payments (via Geasy Pay in Quebec) absorbs most of the technical burden of PCI DSS by providing: 1) An ISO 27001 and PCI DSS Level 1-certified cloud platform; 2) PCI SSC-validated point-to-point encryption (P2PE) that reduces your compliance perimeter; 3) Automatic tokenization of all transactions; 4) PCI PTS-certified terminals; 5) A local Geasy Pay team to guide you through the SAQ. Result: you remain responsible only for the security of your user accounts, passwords and Wi-Fi.
Are PCI DSS and Quebec’s Bill 25 compatible?
Yes, and even complementary. PCI DSS specifically protects card payment data. Quebec’s Bill 25, in force in all its provisions since September 2024, covers all the personal information you collect (payments, but also e-mail addresses, telephone numbers, customer files). Your PCI DSS compliance contributes to your Loi 25 compliance on the payment side, but Loi 25 adds additional obligations: appointing a privacy officer, publishing a privacy policy, keeping an incident log, notifying the Commission d’accès à l’information in the event of a leak. Law 25 penalties can reach $25 million or 4% of worldwide sales.
Assess your PCI compliance with Geasy Pay
Not sure if you’re PCI DSS compliant? See a PCI Non-Compliance Fee line on your monthly statement and don’t know what to do? Just want peace of mind that your business is protected?
Geasy Pay offers you a free assessment of your PCI compliance:
✅ Complete diagnosis of your current situation (PCI level, SAQ required, risk exposure)
✅ Concrete recommendations to close identified gaps
✅ French-language support from our local team in Quebec
✅ Seamless migration to our Global Payments-certified terminals if you change providers
✅ Elimination of monthly PCI non-compliance fees (often $20-$80/month) upon compliance.
Contact us today:
- +1 438-806-0450
- Request a free quote via our contact form
- Live chat with an advisor in less than 15 minutes
To find out more about security and payment costs in Quebec :